hwauth vs NFS

Ken Hornstein kenh at cmf.nrl.navy.mil
Wed Nov 10 21:08:07 EST 2010 

>The solution I see around this is add some magic to the KDC so that
>nfs/* principals get the H flag set on their TGT's.  Some nfs/krb5
>implementations use root/ or host/, which could be ok but if we do
>nfs/ then at least we know the specific usage of this principal.
>
>Does that sound ok or am I missing something obvious?  To avoid
>adding another flag to the kdb (and risking portability) I could
>hardcode this in the KDC, however I then have a different portability
>problem.
>
>I'm ok with modifying the KDC to have the require-hwauth meaning that
>I need, if it doesn't already have that meaning.

require-hwauth already has that meaning (at least in MIT Kerberos), so
you're okay on that score.

It's probably not an option with commercial nfs/krb5 implementations,
but as someone who does all sorts of crazy Kerberos-specific
authorization checks ... have you considered putting this in the
NFS server code?  Obviously this would only work for open-source
NFS servers.  That is the logical place for it, and it would let
you do exactly what you want without having to modify the KDC.  Not
that I have any philosophical objection to modifying the KDC (we've
certainly done it enough) but you get into thorny problems when you
start doing things like adding hwauth ticket flags to only a certain
set of principals.  For example, if you're limiting access to resources
based on hwauth flags, you're subverting that model if you allow
certain tickets to be obtained _without_ hwauth, and that could have
rather nasty implications if you're not careful.

As a note ... we also allow certain users to conditionally get hwauth
tickets.  What we do in that case is set the hwauth flag on the AS_REQ
and that is a flag to the KDC to go through the hwauth code on the
server.  This is one of the extremely few cases where I did a protocol
modification.  Not sure if your intention was to have different classes
of users require hwauth, or simply allow some users to get hwauth some
of the time, but it's something to think about.

--Ken

More information about the Kerberos mailing list